UPDATE (WKOW) --- A local health system is under fire after a lawsuit claims it mislead patients regarding a recent data breach.

The lawsuit was filed late Friday against Iowa Health Systems Inc, the company that runs UnityPoint Health. UnityPoint operates Meriter Hospital. Attorney Robert Teel filed the class action suit on behalf of Yvonne Mart Fox of Middleton. It claims the hospital delayed reporting a data breach in mid-April. It also alleges UnityPoint Health misled patients in believing their social security numbers were not compromised.

Teel said 16,429 patient records were affected by the breach, going back as far as November 2017. Records show the breach happened through a "phishing" attack of employee email accounts. Data compromised is reported to include social security numbers, insurance and financial information, diagnosis, and treatment.

In a letter sent to patients, UnityPoint Health said it is not aware of any reports of improper use of the information as a direct result of the breach, but Teel said it's disingenuous to think the data will not be used in an unauthorized manner.

“Why do you think criminals acquire these records? They don't do it for fun. It's well known in the industry that medical records are used for criminal activity,” he said.

Teel said the hospital could have done more to secure patient information.

“In other instances, hospitals have simply stepped up. Other financial institutions who have suffered a data breach have simply stepped up and bought the credit monitoring service as well as the identity theft insurance. So at a minimum, I believe those are the steps UnityPoint should step up and do,” Teel said.

Also in the letter to patients dated April 16, 2018, UnityPoint said “we want to make you aware of the situation so you can take precautionary measures to protect your health information.” It goes on to say, “we encourage you to remain vigilant in reviewing your account statements for fraudulent or irregular activity on a regular basis.”

But Teel said the burden of protecting their health records shouldn't fall on patients.

“Our hope is that again they’ll step up and recognize that this is not the patients burden to try to protect the confidentiality of their records. It's the healthcare institution's legal obligation to do so. So, simply telling them they should take precautionary measures is just blame shifting.”

UnityPoint reportedly discovered the data breach between February 7th and 15th 2018. The hospital could be fined up to $25-thousand per plaintiff and per breach, if a judge rules they willingly and knowingly violated the confidentiality of health records. The hospital has 20 days to respond to the lawsuit.

If you're a patient of UnityPoint and are eligible to be included in the lawsuit, you will automatically receive a letter in the mail from UnityPoint Health.

We reached out to UnityPoint health Sunday, but have not heard back.

In April, the company released the following statement confirming the breach of protected health information:

"After a detailed forensic investigation and document review, UnityPoint Health determined that protected health information was contained in impacted email accounts, including patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information."

******

MADISON (WKOW) -- A class action lawsuit has been filed against UnityPoint Health after a data breach was announced earlier this year.

The lawsuit claims patients of UnityPoint Health are victims of the health system's negligence in its handling of the reported phishing attack that compromised some employees' email accounts. Letters reporting the breach went out to customers in mid-April 2018. The lawsuit says UnityPoint discovered the problems in February, waited to acknowledge the breach and didn't disclose all the facts about the case.

The class action lawsuit seeks damages and restitution for the plaintiff, Yvonne Mart Fox, of Middleton, and other individuals who have been impacted by the phishing attack.

It also states concerns over the security of personal and protected health information, names, birth dates, addresses, phone numbers, medical records, insurance and other financial information dating back to November 2017.

UnityPoint, which operates Meriter Hospital, said in April the privacy breaches compromised the information of more than 16-thousand patients.

Fox claims she has been inundated with unwanted spam emails and phone calls since the breach, further violating her privacy, according to the lawsuit, and has concerns about future identity theft issues.